3Com OfficeConnect Wireless information disclosure

3com-officeconnect-information-disclosure (18994) The risk level is classified as MediumMedium Risk

Description:

3Com OfficeConnect could allow a remote attacker to obtain sensitive information, caused by improper validation of user privileges. A remote attacker could use the administrative Web interface to access various hidden pages (/main/config.bin, /main/profile.wolp?PN=ggg, or /main/event.logs) and obtain sensitive information, such as the administrator's username and password.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest firmware version (1.03.07A or later), available from the 3Com Download Web page. See References.

References:

  • 3Com Download Web page: 3Com Downloads.
  • iDEFENSE Security Advisory 01.20.05: 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability.
  • BID-12322: 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 Information Disclosure Vulnerability
  • CVE-2005-0112: The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs.
  • SA13942: OfficeConnect Wireless 11g Access Point Information Disclosure
  • SECTRACK ID: 1012958: 3Com OfficeConnect Wireless 11g Access Point Discloses Passwords and Keys to Remote Users

Platforms Affected:

  • 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 1.0.2
  • 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 1.0.2.11
  • 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 1.03.05

Reported:

Jan 20, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page